Geek Answers Handbook

How to perform Windows authentication?

SQL Server, file and printer sharing, Exchange, and a number of other applications can authenticate the user based on their Windows ID.

How do they do it? In particular, how can I do this?

As a specific example, complete your own Windows code in the following way:

Boolean IsCurrentUserValidForDomain(String domainName)
{
   //TODO: Ask Stackoverflow to fill in the code here
}

I can make us start:

Boolean IsCurrentUserValidForDomain(String domainName)
{
    //Get the security token associated with the thread
    TOKEN userToken;

    // Get the calling thread access token.
    if (!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, true, out userToken)
    {
       if (GetLastError != ERROR_NO_TOKEN)
          throw new Exception("Could not get current thread security token");

       // Retry against process token since no thread token exists.
       if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, out userToken)           
          throw new Exception("Could not get current process security token");
    }

    //We now have the security token of the running user (userToken)

    //From this, we can get the SID of the user
    PSID sidUser = null;

    DWORD cbBuf = 0;
    Boolean bsuccess = GetTokenInformation(hToken, TokenUser, null, 0, ref cbBuf);
    PTOKEN_USER ptiUser = null;
    while ((!bSuccess) && (GetLastError() = ERROR_INSUFFICIENT_BUFFER))
    {
       ReallocMem(ref ptiUser, cbBuf);
       bSuccess = GetTokenInformation(hToken, TokenUser, ptiUser, cbBuf, ref cbBuf);
    }
    sidUser = ptiUser.User.Sid;

    //Now that we have the user SID, we can get the SID of their domain
    PSID sidDomain = null;
    GetWindowsAccountDomainSid(sidUser, null, ref cbBuff);
    ReallocMem(sidDomain, cbBuff);
    GetWindowsAccountDomainSid(sidUser, sidDomain, ref cbBuff);

    //We now have
    //TOKEN userToken: security token of the running user
    //PSID sidUser (S-1-5-21-2154378322-3929449213-1104335884-1006)
    //PSID sidDomain (S-1-5-21-2154378322-3929449213-1104335884)

    //TODO: ask stackoverflow if anything i've computed so far can help 
    //answer the question

    //TODO: Ask Stackoverflow to fill in the code here
}

. , , " ". . ( ). ( ). - - .

SQL Server, :

Windows, , SQL Server

SQL Server:

Windows, SQL Server , Windows . , Windows. SQL Server .

: SQL Server

, , . , .

. .

SQL Server ?
?

, , " Windows" , ?

, SQL .

, SQL , ( , , , ). :

Windows?

SQL Server ? Explorer ? Internet Explorer IIS ?

- , Ticket-Granting-Ticket, ?

, . , , GetUsernameEx

CONTOSO\forest

:

Username: forest
Domain:   CONTOSO

, CONTOSO. , contoso\forest, Windows .

. HYDROGEN CONTOSO. , :

CONTOSO\forest

, :

CONTOSO

:

, SID

" ", Windows, SID:

contoso\forest: S-1-5-21-1708537768-854245398-2146844275-3110

, ? ?: (

, :

hydrogen\ginger: S-1-5-21-1708537768-854245398-2146844275-3110

, ? - . Windows SQL Server . 1994 , .

, .

, . , SID SID , . , SID :

| Machine SID for computer DEMOSYSTEM | S-1-5-21-3419697060-3810377854-678604692      |
| DEMOSYSTEM\Administrator            | S-1-5-21-3419697060-3810377854-678604692-500  |
| DEMOSYSTEM\Guest                    | S-1-5-21-3419697060-3810377854-678604692-501  |
| DEMOSYSTEM\CustomAccount1           | S-1-5-21-3419697060-3810377854-678604692-1000 |
| DEMOSYSTEM\CustomAccount2           | S-1-5-21-3419697060-3810377854-678604692-1001 |

. , , SID . , , , , . SID .

, , SID . SID , . , DEMOSYSTEM SID S-1-5-21-3419697060-3810377854-678604692-1000, , SID, .

, , , .

SQL Server Windows SID syslogins:

sid                                                         name            isntuser
----------------------------------------------------------  --------------  ---------
0x010500000000000515000000A837D66516C0EA32733EF67F260C0000  CONTOSO\forest  1

SQL Database SID , syslogins, sid, TCP- 1434.

Windows -

"Pass the Hash" NTML Kerberos. :

Windows , Windows.

, Windows , domain\BillG.

Windows Chrome Windows

Chrome Windows -, . , (401) , Negotiate :

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Negotiate

, :

GET http://contoso.com/foo HTTP/1.1
Authorization: Negotiate YIIFzwYGKwYBBQUCoIIFwzCCBb+gMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBYkEggWFYIIFgQYJKoZIhvcSAQICAQBuggVwMIIFbKADAgEFoQMCAQ6iBwMFACAAAACjggP4YYID9DCCA/CgAwIBBaEOGwxBVkFUT1BJQS5DT02iJTAjoAMCAQKhHDAaGwRIVFRQGxJ2YWRlci5hdmF0b3BpYS5jb22jggOwMIIDrKADAgEXoQMCATCiggOeBIIDmjMA0SnAUdqmbf8+UXZHsipRqPKt2yxqQaFia8hBF3TuQVDBgqGk8yL+CoDGnvkyGqpZK3UBsS/EuXP4Z+/0y49ZyDDQnDFqcJpF5ZY87t+u/kYQy+dr42GxEYQIjb096AQzDZio0dRWqbHleS5DlR7wCEaJ+a0CG6/vLEXL6tT20aj3avFibZc++5OKhynoxtyh10tJO3iwun2usJT+p1IfTD9yVDhfplMchLBgyp803+6IUwzm0zcwcqt7R1KnCv1i+baw3e/dhkIJz8cnoh1oNuivSXf4zOqlvp8FDlQMQEGqa9OA7LBmhg1rWDTOdyB4E9oZtVG8ipHyFYzDcyvIpWOMf9S68TTE78TgEhWjVq7g6BoH+O6IW14QIItxVk1GbSd2Ke9n9We0pbMjRxiZIMqyOvvFBgU5NlUUksdlG/yv0BTai7SILbVfNPsVwHeus//UfKQenX6YEnKUVi+XutY0kjLyp6l1L3Ce/ovkpDVmmYFebfdIT8Xbya9Zksa2nF8+7OL5S7I0tZaZUBL2Bzca9VJiGioRFvpgBXxKiChv71SukROreic+ylxHOfOWwXsEa0+ISHV6Uvhd44y3UA2VKtI3xoF8+3SZ184hIZ4fbahkfrBa1Zu5FqQ9M0rxAPgmsBZ2PwuMDWWLtraK7gJsAh+DxXGAaSTiPWaRhms59mfetBmzSnkzWBCr63G8rL71TiDgevoxhv0FP5s1JmWzWsnluJ95f9fphItuiDRI0C1358LMai9B1ZFWf9CRooeMAH4YUuL4SZ0r61/zQVnWFF1ngyt/ko/9UQ3mErLFeA/9Oq6BYfI/ExhVl9VVue0irM1vk09pIdUMS9MvQdW7YCg/C9LtOiJVpYw/aEVakn74l7TM71bIfjucDddDCBNuup41bWy5Nqkci8AHEMyoVyG9BxHmTm8NZ3FSujl+MeDAANKSt3a6P2k0C/W4Mley76ZoAGf6IYXf/9THQucvQGkasUkIN6PwIZIaxEdVt1BXiVXu1ADgt2/+0UB8rzYq+kt53R16rjev4Exvt7jpHIWUxjbDTxo2CvW0+Eh+mFyMj3CS2xQlhjrU2Q9ADQqA8wf8H88Dzp4PPWPxJnB4tC+Ecd9ZYlQwal00UX6aN47+dKPYDCp4piq6dvr2BhpzpsXxyR8QOZRKqAoXXLmb4Y1eGFWiUqH56J3Wju5h+cyzhMq+otpI4s77lfIecM41HccPrTKkggFZMIIBVaADAgEXooIBTASCAUigcKId1qR+UzSz8R00q+0o2M4+2dLnNW2vPU+uLeG9SqLJgJWsgBWUGtt6TRvPLF/GoHxP+sqST8fKJf0EHfycGfH/VJR6bnfpQYCWCgWRHjfdUpll51G/xKYqJYyy5xtNQvtKkzp+IB6CVKe1q3wopAY+uDsUk9XUvaIbUtHDEcWDATwi8BKGggVunw/idxKaZjaRmRko/Nsj5p38fiBk+OCN3yKDNSFCTDn+HUiCoCbDsv03zt2EO1eTJUPxXNhqJUjZMKYodgcsLMzNhSiyySH+kvgQZci3b8LGY1sCHMXopaL0Ysu4QgPD8UDD7dIBZ0ORmGf9srdZMgKjLIoEhXOmg+y5kqJpoPAwQaooHDizKQ8bmhFX2pOp7NjXoJ/wRvTB98seUNlDXDl5ySrt7P3Xf1Ybj7PpgMuqJykou2lKxirVhYYJ

IE, Chrome -, , , . Windows , . MSDN: HTTP - :

enter image description here

  • , , -, HTTP GET-.
  • -, SPNEGO, 401 Access Denied, WWW-Authenticate: Negotiate.
  • AcquireCredentialsHandle() InitializeSecurityContext() SPN , TGS/KDC.
  • TGS/KDC Kerberos Ticket ( , ), SPNEGO.
  • HTTP- GET + SPNEGO : Negotiate base64 ().
  • - SPNEGO Token Handler API GSS, URL.

enter image description here

, , , , . , , , , , , , .

, , Kerberos SPNEGO base-64'd. API , , - , .

+2
1

Windows Unix SSPI GSS-API.

  • SPN

:

  1. C/++ SSPI/GSS-API /.
  2. (/) . GetUsername... .
  3. SSPI/GSS . Kerberos SPNEGO.

:

  1. C/++ SSPI/GSS-API /.
  2. (/) machine/servce, SPN. GetUsername... .

:

:

  1. . ... , .
  2. , , michael-o@STACKOVERFLOW.COM

:

: NTLM, Kerberos, . UPN.

+1

More articles:


All Articles